AI Sec Watch

ChuanhuChatGPT version 20240918 has an unauthenticated Denial of Service vulnerability (DoS, a type of attack that makes a service unavailable) that can be triggered by sending specially formatted data with multipart boundaries or grouped characters. Even though a previous patch was applied, attackers can still exploit this by sending data in lines of 10 characters repeatedly, causing the system to get stuck processing and become unavailable.

CVE-2024-10648 is a path traversal vulnerability (a flaw where an attacker manipulates file paths to access unintended files) in Gradio's Audio component that lets attackers control audio file formats and delete file contents, potentially causing a denial of service (a situation where a system becomes unavailable to legitimate users). By changing the output format, an attacker can empty any file on the server.

A ReDoS (regular expression denial of service, where specially crafted text causes a regex pattern to take extremely long to process) vulnerability exists in Gradio's datetime component. An attacker can send a malicious input that makes the vulnerable regex pattern consume all of a server's CPU resources, causing the Gradio application to become unresponsive.

CVE-2024-10569 is a vulnerability in Gradio's dataframe component that allows a zip bomb attack (a compressed file designed to crash systems when decompressed). An attacker can upload a malicious compressed file, which the component processes using pd.read_csv (a function that reads spreadsheet data), causing the server to crash and become unavailable.

CVE-2024-10188 is a vulnerability in BerriAI/litellm that allows unauthenticated users to crash the litellm Python server by exploiting unsafe input parsing. The vulnerability exists because the code uses ast.literal_eval (a Python function that evaluates code, which is not safe for untrusted input) to process user-supplied data, making it vulnerable to DoS (denial of service, where attackers make a service unavailable) attacks.

CVE-2024-8502 is a vulnerability in modelscope/agentscope v0.0.6a3 where the RpcAgentServerLauncher class unsafely deserializes (converts serialized data back into code) untrusted data using the dill library, allowing attackers to execute arbitrary commands on the server. The vulnerability exists in the AgentServerServicer.create_agent method, which directly deserializes user input without validation.

CVE-2024-12911 is a vulnerability in the `default_jsonalyzer` function of `JSONalyzeQueryEngine` in the llama_index library that allows attackers to perform SQL injection (inserting malicious SQL commands) through prompt injection (hiding hidden instructions in the AI's input). This can lead to arbitrary file creation and denial-of-service attacks (making a system unavailable by overwhelming it).

InvokeAI versions 5.3.1 through 5.4.2 contain a remote code execution vulnerability (the ability for attackers to run commands on a system they don't own) in the model installation API. The flaw comes from unsafe deserialization (converting data back into usable code without checking if it's trustworthy) of model files using torch.load, which allows attackers to hide malicious code in model files that gets executed when loaded.

In gpt_academic version 3.83 and earlier, the CodeInterpreter plugin has a vulnerability where prompt injection (tricking an AI by hiding instructions in its input) allows attackers to inject malicious code. Because the application executes LLM-generated code without a sandbox (a restricted environment that isolates code from the main system), attackers can achieve RCE (remote code execution, where an attacker can run commands on a system they don't own) and potentially take over the backend server.